I needed to have a virtual host use SSL encryption on our Apache 2.2 server. I was surprised at how little I could find searching Google on how to get such a setup working (Apache 2.2, SSL certificate and Windows Server 2003). Most of the pages I found detailed how to build Apache with SSL to run on a Linux server.
I finally got this working after spending half the day on it (and using various resources like
this one), so I thought I'd throw up the directions that I followed in case someone else is trying to do the same thing. This is using Windows Server 2003 R2, Apache 2.2.6 and OpenSSL to create a certificate and then have your Apache server use it for SSL connections. Please note that your browser will complain about the certificate not being from a trustworthy source since you sign it rather then Verisign, Thawte, or any of the other certificate signing authorities.
First you need to download Apache to install. The latest Win32 binaries have on that includes the OpenSSL component that you need instead of having to build your own, so you might want to start with this version. We had an older version so I un-installed the older version and then installed this version:
Now verify that the server is running, you should see the default "Welcome" page
- Open your browser and point to http://localhost
Now we need to download a configuration file to use with the OpenSSL tool to generate the certificate information.
Now we need to open a command-line prompt to use the OpenSSL tool. You'll want to change to the "bin" directory of Apache to save some typing strokes
- cd C:\Program Files\Apache Software Foundation\Apache2.2\bin
Now we create the CSR file, which is what we use when requesting a certificate from an SSL signing authority. We need to do this however even if we are going to create and "sign" our own certificate. In the rest of these examples I use www.yourdomainname.com as a place holder that you would replace with your domain that you want to have the SSL encryption on.
- Execute "openssl req -config openssl.cnf -new -out cares.bric.msu.edu.csr -keyout cares.bric.msu.edu.pem"
- Enter a passphrase "abcd123"
- For country code enter "US"
- For state enter "My State"
- For locality enter "My City"
- For Organization Name enter "My Company"
- For organizational unit enter "My Department"
- For common name enter "www.yourdomainname.com"
- For e-mail address enter "my_email@yourdomainname.com"
- For challenge password enter "pd3due843"
These will create the request with a password, but we want to remove this password as we don't want to keep it. We use the OpenSSL tool to remove this password
- Execute "openssl rsa -in www.yourdomainname.com.pem -out www.yourdomainname.com.key"
- When prompted re-enter the passphrase
We need to make sure and delete the random file that was used to generate our certificate since this could potentially be used by a malicious person to compromise your certificate.
Now create the X.509 certificate which is what the web server will use to provide the browser a certificate to encrypt the traffic across the Internet.
- Execute "openssl x509 -in www.yourdomainname.com.csr -out www.yourdomainname.com.cert -req -signkey www.yourdomainname.com.key -days 365"
Okay, that should be all we need to do with the OpenSSL tool, but leave your command prompt open so we can test the configuration and restart the server later. Now we need to do some editing of our Apache configuration file.
- Open Notepad.exe
- Open your configuration file at "C:\Program Files\Apache Software Foundation\Apache2.2\conf\httpd.conf"
- Locate the line "LoadModule ssl_module modules/mod_ssl.so" and remove the pound # sign so that it is not commented out
- Locate the line "Include conf/extra/httpd-ssl.conf" and remove the pound # sign so that is it not commented out
- Create a folder named "ssl" in the folder "C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra"
- Copy the file "C:\Program Files\Apache Software Foundation\Apache2.2\bin\www.yourdomainname.com.cert" to the folder "C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\ssl"
- Copy the file "C:\Program Files\Apache Software Foundation\Apache2.2\bin\www.yourdomainname.com.key" to the folder "C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\ssl"
- Open the file C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\httpd-ssl.conf
- Find and uncomment the line with the directive "
SSLCertificateFile" - Replace the path given to point to your .cert file
- Find and uncomment the line with the directive "
SSLCertificateKeyFile" - Replace the path given to poitn to your .key file
- Save the configuration file.
Now we want to test the configuration files to make sure they are valid before we tell Apache to use them. To do this we use the main Apache program, at the command line, with the switch to "t"est the configuration files.
If there is an error it should indicate on what line and in which file the error is in. You'll need to correct this and then run another test until you get an "OK" back. After you do we then need to restart the Apache web server, at the command line, to have the new configuration files take affect.
- Execute "httpd.exe -k restart"
Once the service restarts, and it usually does pretty quickly, you should verify you can still access your server over normal TCP port 80 by using your web browser to go to http://www.yourdomainname.com and make sure you see the "Welcome" page still. If you do, next we want to verify the SSL connection, so change your address from "http" to "https", then press enter. You should now be presented with dialog informing you that the certificate that the web server isn't signed by a certificate signing authority. If you click to allow this you should now have a SSL encrypted connection to your web server.
You can now go to a certificate signing authority to purchase a real SSL certificate so you users aren't presented with this error any longer. When the certificate signing authority asks for the CSR file, open the one you created (www.yourdomainname.com.csr) and copy and paste the text into the web form. When you receive back the real certificate, it should have a .cer extension, place is in the folder we created earlier at C:\Program Files\Apache Software Foundation\Apache2.2\conf\extra\ssl", restart your web server at the command line with "C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd -k restart". You should now be able to browse to https://www.yourdomainname.com and not be prompted about problems with the certificate.
I needed to have a virtual host use SSL encryption on our Apache 2.2 server. I was surprised at how little I could find searching Google on how to get such a setup working (Apache 2.2, SSL certificate and Windows Server 2003). Most of the pages I found detailed how to build Apache with SSL to run on a Linux server.
I finally got this working after spending half the day on it (and using various resources like this one), so I thought I'd throw up the directions that I followed in case someone else is trying to do the same thing. This is using Windows Server 2003 R2, Apache 2.2.6 and OpenSSL to create a certificate and then have your Apache server use it for SSL connections. Please note that your browser will complain about the certificate not being from a trustworthy source since you sign it rather then Verisign, Thawte, or any of the other certificate signing authorities.
First you need to download Apache to install. The latest Win32 binaries have on that includes the OpenSSL component that you need instead of having to build your own, so you might want to start with this version. We had an older version so I un-installed the older version and then installed this version:
2 comments:
Thanks, Troy. Well written explanation. :)
Take care!
-Doch Savage
Does not work. Im getting a dutch message saying something like "server taking too long to respond"...
Post a Comment